From 66a4f0391cd4f71834a0466ce0bf8fca860f8652 Mon Sep 17 00:00:00 2001 From: Shubham Chaudhary Date: Tue, 15 Dec 2020 13:36:19 +0530 Subject: [PATCH] chore(psp): Adding allowHostPath in psp (#390) Signed-off-by: shubhamchaudhary --- charts/generic/disk-fill/experiment.yaml | 2 +- charts/generic/pod-delete/litmus-psp.yaml | 34 --------------- pod-security-policy/psp-litmus.yaml | 50 +++++++++++++++++++++++ 3 files changed, 51 insertions(+), 35 deletions(-) delete mode 100644 charts/generic/pod-delete/litmus-psp.yaml create mode 100644 pod-security-policy/psp-litmus.yaml diff --git a/charts/generic/disk-fill/experiment.yaml b/charts/generic/disk-fill/experiment.yaml index 92ca395..cf63a26 100644 --- a/charts/generic/disk-fill/experiment.yaml +++ b/charts/generic/disk-fill/experiment.yaml @@ -74,7 +74,7 @@ spec: value: 'litmuschaos/go-runner:latest' # Provide the container runtime path - # Default set to docker + # Default set to docker container path - name: CONTAINER_PATH value: '/var/lib/docker/containers' diff --git a/charts/generic/pod-delete/litmus-psp.yaml b/charts/generic/pod-delete/litmus-psp.yaml deleted file mode 100644 index c82cba1..0000000 --- a/charts/generic/pod-delete/litmus-psp.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: policy/v1beta1 -kind: PodSecurityPolicy -metadata: - name: litmus - annotations: - seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' -spec: - privileged: false - # Required to prevent escalations to root. - allowPrivilegeEscalation: false - # Allow core volume types. - volumes: - - 'configMap' - - 'emptyDir' - - 'projected' - - 'secret' - - 'downwardAPI' - # Assume that persistentVolumes set up by the cluster admin are safe to use. - - 'persistentVolumeClaim' - - 'hostPath' - hostNetwork: false - hostIPC: false - hostPID: false - runAsUser: - # Require the container to run without root privileges. - rule: 'RunAsAny' - seLinux: - # This policy assumes the nodes are using AppArmor rather than SELinux. - rule: 'RunAsAny' - supplementalGroups: - rule: 'RunAsAny' - fsGroup: - rule: 'RunAsAny' - readOnlyRootFilesystem: false \ No newline at end of file diff --git a/pod-security-policy/psp-litmus.yaml b/pod-security-policy/psp-litmus.yaml new file mode 100644 index 0000000..e6e0889 --- /dev/null +++ b/pod-security-policy/psp-litmus.yaml @@ -0,0 +1,50 @@ +apiVersion: policy/v1beta1 +kind: PodSecurityPolicy +metadata: + name: litmus + annotations: + seccomp.security.alpha.kubernetes.io/allowedProfileNames: '*' +spec: + privileged: true + # Required to prevent escalations to root. + allowPrivilegeEscalation: true + # Allow core volume types. + volumes: + - 'configMap' + - 'emptyDir' + - 'projected' + - 'secret' + - 'downwardAPI' + # Assume that persistentVolumes set up by the cluster admin are safe to use. + - 'persistentVolumeClaim' + allowedHostPaths: + # substitutes this path with an appropriate socket path + # ex: '/var/run/docker.sock', '/run/containerd/containerd.sock', '/run/crio/crio.sock' + - pathPrefix: "/var/run/docker.sock" + # substitutes this path with an appropriate container path + # ex: '/var/lib/docker/containers', '/var/lib/containerd/io.containerd.runtime.v1.linux/k8s.io', '/var/lib/containers/storage/overlay/' + - pathPrefix: "/var/lib/docker/containers" + allowedCapabilities: + - "NET_ADMIN" + - "SYS_ADMIN" + hostNetwork: false + hostIPC: false + hostPID: true + runAsUser: + rule: 'RunAsAny' + seLinux: + # This policy assumes the nodes are using AppArmor rather than SELinux. + rule: 'RunAsAny' + supplementalGroups: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + fsGroup: + rule: 'MustRunAs' + ranges: + # Forbid adding the root group. + - min: 1 + max: 65535 + readOnlyRootFilesystem: false \ No newline at end of file